nixos/lxc: apply recommendations from distrobuilder

This commit is contained in:
Aaron Andersen 2022-11-29 09:16:28 -05:00
parent 582a78f910
commit ecf7441d25

View File

@ -88,6 +88,16 @@ in
};
'';
};
privilegedContainer = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether this LXC container will be running as a privileged container or not. If set to `true` then
additional configuration will be applied to the `systemd` instance running within the container as
recommended by [distrobuilder](https://linuxcontainers.org/distrobuilder/introduction/).
'';
};
};
};
@ -146,12 +156,31 @@ in
};
# Add the overrides from lxd distrobuilder
systemd.extraConfig = ''
[Service]
ProtectProc=default
ProtectControlGroups=no
ProtectKernelTunables=no
'';
# https://github.com/lxc/distrobuilder/blob/05978d0d5a72718154f1525c7d043e090ba7c3e0/distrobuilder/main.go#L630
systemd.packages = [
(pkgs.writeTextFile {
name = "systemd-lxc-service-overrides";
destination = "/etc/systemd/system/service.d/zzz-lxc-service.conf";
text = ''
[Service]
ProcSubset=all
ProtectProc=default
ProtectControlGroups=no
ProtectKernelTunables=no
NoNewPrivileges=no
LoadCredential=
'' + optionalString cfg.privilegedContainer ''
# Additional settings for privileged containers
ProtectHome=no
ProtectSystem=no
PrivateDevices=no
PrivateTmp=no
ProtectKernelLogs=no
ProtectKernelModules=no
ReadWritePaths=
'';
})
];
# Allow the user to login as root without password.
users.users.root.initialHashedPassword = mkOverride 150 "";